Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add blog post for the security audit results #4850

Merged
merged 4 commits into from
Jul 22, 2024
Merged

Add blog post for the security audit results #4850

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
42b4392
Add blog post for the security audit results
svrnm Jul 18, 2024
5a7ee2a
add austin as author
svrnm Jul 22, 2024
a4dd8c8
Merge branch 'main' into security-audit-results
austinlparker Jul 22, 2024
ba570e4
Results from /fix:all
opentelemetrybot Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions content/en/blog/2024/security-audit-results.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: OpenTelemetry Security Audit Published
linkTitle: Security Audit Results
date: 2024-07-22
author: >-
[Author1 Name](https://github.com/author1_GH_ID) (Organization Name 1),
[AuthorX Name](https://github.com/authorX_GH_ID) (Organization Name X)
svrnm marked this conversation as resolved.
Show resolved Hide resolved
issue:
sig: GC
---

Thousands of organizations and millions of users around the world rely on
[OpenTelemetry](/) as part of their observability toolkit. To this end, it is
our responsibility as a project to ensure our code is safe, secure, and
performant. In conjunction with [OSTIF](https://ostif.org/) and
[7ASecurity](https://7asecurity.com/), and the support of the
[Cloud Native Computing Foundation](https://www.cncf.io/), we recently engaged
upon a security audit of the OpenTelemetry Collector and four SDKs – Go, Java,
C#, and Python.

We are pleased to announce the publication of this audit, as well as its
results. Two CVEs were identified and remediated prior to the publication of
this audit (see
[CVE-2024-36129](https://nvd.nist.gov/vuln/detail/CVE-2024-36129) for
information on both) in the OpenTelemetry Collector, and five hardening
recommendations were made. Overall, the results of the audit are very positive,
with the auditors noting the high quality of source code and the security best
practices that the project is following.

The conclusion of this audit marks an important milestone on our journey towards
the next stage of maturity in the CNCF, graduation. We’ll have more to share on
that in the coming months. The OpenTelemetry Governance Committee and Security
SIG would also like to personally commend the contributors and maintainers of
OpenTelemetry for their high-quality work over the years.

Finally, we would like to thank the following individuals and groups:

- SIG Security
- SIG Collector
- 7ASecurity
- OSTIF

You can read more about the audit on the
[OSTIF](https://www.ostif.org/otel-audit-complete/) and 7A Security blogs, or
read the
[full report](https://7asecurity.com/reports/pentest-report-opentelemetry.pdf).